Include lua libraries to enable JWT manipulations

[mtparet]

What this PR does / why we need it:

Today JWT is a common way to secure http transactions. Many people wish to manipulate this data at the proxy level (see issues related).
The first goal here is not to propose a ready to use solution but makes things easier for people so they do not need to modify the nginx controller or the kubernetes deployment.
Perhaps in the future we could propose the ready to use solution but it is out of scope for this PR.

Once this PR is merged, people will only need to add custom lua block in ingress objects while using the official nginx ingress controller.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Which issue/s this PR fixes

Related to :
#5865 #5834 #1850

How Has This Been Tested?

I tested locally on minikube.

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

@mtparet: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @mtparet. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mtparet
To complete the pull request process, please assign elvinefendi after the PR has been reviewed.
You can assign the PR to them by writing /assign @elvinefendi in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• images/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtparet]

What's you thought on adding these libraries, is there anything I could do to ease the review of this PR ?
@rikatz @ElvinEfendi

[rikatz]

Hi @mtparet and thanks for your PR.

Gonna write my opinion, which may not represent a consensus between other contributors. I think that for now, we should stop adding stuff on Lua side/openresty, just to make sure we have a stable environment.

We have some issues about coredump/segmentation fault that are already pointed as something caused inside openresty (and we are trying to identify that with openresty core developers!) but still not sure what happens.

It may turn into a fragile adding here.

Also, once we want to add a new library, I guess it would be good to have a concrete use case. For instance, some annotation that allows setting some jwt validation before the backend?

Finally, I'm really tempted about replacing some openresty parts to NJS and this is one of those cases that this may suit well.

If you want to take a look into what I'm talking about, take a look at http://nginx.org/en/docs/njs/examples.html

Thanks once more!

[trnl]

@rikatz, are there any plans for njs plugins?

[trnl]

@mtparet, please check SkyLothar/lua-resty-jwt#85, I think you need to reference another repository.

[trnl]

Are you sure that lua-resty-hmac is not required? I think it is a dependency

[rikatz]

@rikatz, are there any plans for njs plugins?

I want to start thinking about it ASAP, ideas are always welcome for this! :D

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rufreakde]

@mtparet is this droped?